Closed nurlanchip closed 1 month ago
fzipi
commented
1 month ago Hi @nurlanchip
I see you are using port 80 there. The image was updated to run as an unprivileged user:
Both nginx and httpd containers now run with an unprivileged user. This means that we cannot bind to ports below 1024, so you might need to correct your PORT and SSL_PORT settings. Now the defaults for both nginx and httpd are 8080 and 8443.
nurlanchip
commented
1 month ago I have changed the port like this
services:
modsec-apache:
container_name: modsec-apache
image: owasp/modsecurity-crs:apache
environment:
SERVERNAME: modsec-apache
BACKEND: "http://192.168.1.10:3000"
PORT: "8080"
MODSEC_AUDIT_ENGINE: On
MODSEC_RULE_ENGINE: On
BLOCKING_PARANOIA: 2
ERRORLOG: "/var/log/modsec_error.json"
ACCESSLOG: "/var/log/modsec_access.json"
MODSEC_AUDIT_LOG_FORMAT: JSON
MODSEC_AUDIT_LOG_TYPE: Serial
MODSEC_AUDIT_LOG_PARTS: ABDEFHIJZ
MODSEC_AUDIT_LOG: "/var/log/modsec_audit.json"
MODSEC_TMP_DIR: "/tmp"
MODSEC_RESP_BODY_ACCESS: "On"
MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
COMBINED_FILE_SIZES: "65535"
volumes:
- "/var/log/:/var/log/"
ports:
- "80:8080"
juiceshop_prod:
image: bkimminich/juice-shop
ports:
- "3000:3000"still error like this
modsec-apache | /usr/local/bin/generate-certificate: generating new certificate
modsec-apache | Warning: No -copy_extensions given; ignoring any extensions in the request
modsec-apache | /usr/local/bin/generate-certificate: generated /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt
modsec-apache | AH00526: Syntax error on line 24 of /etc/modsecurity.d/modsecurity.conf:
modsec-apache | ModSecurity: Failed to open the audit log file: /var/log/modsec_audit.json
modsec-apache exited with code 1Makes total sense. The user apache does not have permissions to create a file there 😄 .
Try using /tmp/modsec_audit.json or mounting the file to a temporary folder.
nurlanchip
commented
1 month ago still error like this
modsec-apache | /usr/local/bin/generate-certificate: generating new certificate
modsec-apache | Warning: No -copy_extensions given; ignoring any extensions in the request
modsec-apache | /usr/local/bin/generate-certificate: generated /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt
modsec-apache | AH00526: Syntax error on line 24 of /etc/modsecurity.d/modsecurity.conf:
modsec-apache | ModSecurity: Failed to open the audit log file: /tmp/modsec_audit.json
modsec-apache exited with code 1can you provide docker compose that can run, my goal is to create a reverse proxy in front of owasp juice shop 😄
theseion
commented
1 month ago We don't do anything different than you. But please check the contents of your /var/log (on the host).
modsec_audit.json exists. If it doesn't: touch /var/log/modsec_audit.json.modsec_audit.json is not a directorychmod o+w /var/log/modsec_audit.json.fzipi
commented
1 month ago Hi @nurlanchip.
Just copied your configuration. Changed the volume /var/log to be ./logs, so I can test in a subdirectory. Also changed backend to be BACKEND: "http://juiceshop_prod:3000".
This is the containers startup:
docker compose up
[+] Running 22/22
✔ juiceshop_prod 21 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 22.1s
✔ 138efa92a1a8 Pull complete 0.6s
✔ e33bce57de28 Pull complete 0.6s
✔ 473d8557b1b2 Pull complete 0.7s
✔ b6824ed73363 Pull complete 1.2s
✔ 7c12895b777b Pull complete 1.2s
✔ 33e068de2649 Pull complete 1.2s
✔ 5664b15f108b Pull complete 1.8s
✔ 27be814a09eb Pull complete 1.8s
✔ 4aa0ea1413d3 Pull complete 1.8s
✔ 9ef7d74bdfdf Pull complete 2.4s
✔ 9112d77ee5b1 Pull complete 2.4s
✔ ceeeb9926be0 Pull complete 2.5s
✔ 2cbf78696926 Pull complete 3.1s
✔ e03ab4266421 Pull complete 3.0s
✔ 3e6ab0c6386f Pull complete 3.1s
✔ 352d6b3ee6e7 Pull complete 3.6s
✔ f47f7f1a8b96 Pull complete 3.7s
✔ e6b4c4ec1488 Pull complete 5.1s
✔ dd5e8a4221a8 Pull complete 4.2s
✔ 0c64268102c1 Pull complete 8.8s
✔ bb689c0d0a66 Pull complete 5.2s
[+] Running 3/3
✔ Network test-255_default Created 0.1s
✔ Container test-255-juiceshop_prod-1 Created 1.0s
✔ Container modsec-apache Created 1.0s
Attaching to modsec-apache, juiceshop_prod-1
modsec-apache | /usr/local/bin/generate-certificate: generating new certificate
modsec-apache | Warning: No -copy_extensions given; ignoring any extensions in the request
modsec-apache | /usr/local/bin/generate-certificate: generated /usr/local/apache2/conf/server.key and /usr/local/apache2/conf/server.crt
juiceshop_prod-1 | info: All dependencies in ./package.json are satisfied (OK)
juiceshop_prod-1 | info: Detected Node.js version v20.12.2 (OK)
juiceshop_prod-1 | info: Detected OS linux (OK)
juiceshop_prod-1 | info: Detected CPU arm64 (OK)
juiceshop_prod-1 | info: Configuration default validated (OK)
juiceshop_prod-1 | info: Entity models 19 of 19 are initialized (OK)
juiceshop_prod-1 | info: Required file server.js is present (OK)
juiceshop_prod-1 | info: Required file main.js is present (OK)
juiceshop_prod-1 | info: Required file index.html is present (OK)
juiceshop_prod-1 | info: Required file styles.css is present (OK)
juiceshop_prod-1 | info: Required file runtime.js is present (OK)
juiceshop_prod-1 | info: Required file vendor.js is present (OK)
juiceshop_prod-1 | info: Required file polyfills.js is present (OK)
juiceshop_prod-1 | info: Port 3000 is available (OK)
juiceshop_prod-1 | info: Chatbot training data botDefaultTrainingData.json validated (OK)
juiceshop_prod-1 | info: Domain https://www.alchemy.com/ is reachable (OK)
juiceshop_prod-1 | info: Server listening on port 3000Docker ps shows everything running properly:
❯ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4d5c08011e9f owasp/modsecurity-crs:apache "/docker-entrypoint.…" 32 seconds ago Up 30 seconds (healthy) 80/tcp, 0.0.0.0:80->8080/tcp modsec-apache
7a6dcf9080f0 bkimminich/juice-shop "/nodejs/bin/node /j…" 32 seconds ago Up 30 seconds 0.0.0.0:3000->3000/tcp test-255-juiceshop_prod-1
dfd7f3684d0e arm64v8/mysql "docker-entrypoint.s…" 3 weeks ago Up About a minute 3306/tcp, 33060/tcp mysql
b01542585c51 arm64v8/postgres:16-alpine "docker-entrypoint.s…" 3 weeks ago Up About a minute 5432/tcp postgresAnd then queried the service without problems:
❯ curl localhost -v
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
* Trying [::1]:80...
* Connected to localhost (::1) port 80
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.6.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 23 May 2024 13:05:28 GMT
< Server: Apache
< Access-Control-Allow-Origin: *
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Feature-Policy: payment 'self'
< X-Recruiting: /#/jobs
< Accept-Ranges: bytes
< Cache-Control: public, max-age=0
< Last-Modified: Thu, 23 May 2024 13:05:07 GMT
< ETag: W/"ea4-18fa58e264f"
< Content-Type: text/html; charset=UTF-8
< Content-Length: 3748
< Vary: Accept-Encoding
<
<!--
~ Copyright (c) 2014-2023 Bjoern Kimminich & the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--><!DOCTYPE html><html lang="en"><head>
<meta charset="utf-8">
<title>OWASP Juice Shop</title>
<meta name="description" content="Probably the most modern and sophisticated insecure web application">
...So I would go ahead and mark this as solved.
hi everyone, I need help, I'm getting an error when running docker compose modsecurity-crs
this is the docker compose from https://coreruleset.org/docs/deployment/install/